Keeping operational technology (OT) and industrial control systems (ICS) software and firmware to their current version levels through patching is among the most effective ways to keep systems secure from exploitation. However, keeping all systems patched in these complex—and often aging—environments isn't always a viable option.
Garry Drummond, CEO at LOCH Technologies, explains that OT/ICS environments are tricky to keep patched and that compensating controls are essential—especially in environments where OT must be integrated with IT.
"Compensating controls should be carefully evaluated and implemented in the context of the specific risks and operational requirements of your IT/OT environment. They should not be seen as inferior to primary controls, but as a strategic component of a comprehensive security strategy," he adds.
As was covered in “OT Patch Management Truths,” there are significant patching hurdles in OT/ICS environments, such as patching constraints because of downtime, legacy systems, proprietary protocol issues, challenges with vulnerability assessments, and the sheer diversity of systems in these organizations.
Such inability to patch in a timely fashion, or even at all, makes it critical that effective defenses in the form of compensating controls are in place that mitigate the risks associated with running those unpatched systems.
"In integrated IT/OT environments, especially considering the Purdue Model's emphasis on separation, compensating controls are key when standard security measures are not feasible," says Robin Berthier, CEO at Network Perception.
Experts recommend the following compensating controls be considered:
Accurate asset inventory: An accurate OT/ICS inventory is challenging because of the complexities of these environments, as well as the number of proprietary protocols, and very old legacy systems. Comprehensive visibility into the environment makes it possible to gather an accurate asset inventory and understand the connections and dependencies within the environment. THis allows for more comprehensive deployment of security controls, especially for internet-facing systems and network components.
Allow only approved devices and systems. Only those devices and applications explicitly approved to be in the environment should be permitted to run.
System and network segmentation. "Where it's not feasible to apply the same level of security across both IT and OT networks, network segmentation can act as a compensating control," says Drummond. Segmentation divides a network into multiple physical or virtual zones, each operating independently. Segmented networks can help contain intrusions, compartmentalizing security incidents to one network segment, and mitigating the risk that the attack or malware spreads to other areas within the broader network.
Strengthen access controls. Making sure to rid devices within the environment of default passwords, and instead enforcing strong password creation and using multi-factor authentication will go a long way to helping the overall security of the environment.
Network monitoring. Taking the asset inventory, tracking known vulnerabilities, mapping vulnerabilities to assets, and closely monitoring activity can substantially mitigate risk, especially with an incident response plan for identifying suspicious activity. "In cases where preventive controls are limited, increased monitoring and detection can be an effective compensating control," says Drummond.
As crucial as discrete compensating controls can be to keeping unpatched systems as secure as possible, they function better when part of a defensible cybersecurity architecture designed with the Purdue Model or the ISA/IEC 62443 in mind. In addition, many experts propose a zero-trust architecture to minimize risks for unpatched vulnerabilities and limit the impact of any resulting breaches.
"Ensuring the architecture that supports OT and IoT devices is in line with zero trust principles helps greatly," says Jonathan Sword, director at cybersecurity consultancy Agility Security.
As Sword explains, zero trust removes the trust in the network, mitigating much of the risk in the environment. And, with zero trust, "each device authenticates specific services to specific services on another device, with the access only visible and granted in a granular fashion, thus reducing the attack surface," explains Sword.
While being able to patch outdated and at-risk systems rapidly is the ideal—because of the operational disruption, complexity, and even the lack of available patches for old systems—it's not always feasible in OT/ICS environments, and providing compensating controls to bolster defenses is necessary until patches can be deployed or vulnerable systems replaced.
George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.